This document provides an overview of the Active Roles (formerly known as ActiveRoles®) features.
Each feature is presented in a separate section containing the following elements:
- Feature Name The title of the section.
- Description An explanation of the feature.
- How to Start Instructions on how to find or start using the feature (if applicable).
Unless otherwise noted, the How to Start instructions assume that you are logged on as an Active Roles Admin. By default, an Active Roles Admin is any member of the Administrators local group on the computer running the Active Roles Administration Service. Additionally, you should verify that the Active Roles console is in Advanced view mode: on the View menu, click Mode, and then click Advanced Mode.
This section provides an overview of features and enhancements relating to Active Roles’ workflow capabilities, policies (administrative rules) and delegation model (administrative roles).
Identity information can be stored in various data systems, such as directories, databases, or even formatted text files. Management and synchronization of identity information among different data systems may require considerable time and effort. On top of that, performing data synchronization tasks manually is error-prone and can lead to duplication of information and incompatibility of data formats.
With Synchronization Service, you can automate the process of identity data synchronization among various data systems used in your enterprise environment.
Synchronization Service increases the efficiency of identity data management by allowing you to automate the creation, deprovisioning, and update operations between the data systems you use. For example, when an employee joins or leaves the organization, the identity information managed by Synchronization Service is automatically updated in the managed data systems, thereby reducing administrative workload and getting the new users up and running faster.
The use of scripting capabilities provides a flexible way to automate administrative tasks and integrate the administration of managed data systems with other business processes. By automating conventional tasks, Synchronization Service helps administrators to concentrate on strategic issues, such as planning the directory, increasing enterprise security, and supporting business-critical applications.
Synchronization Service offers the following major features.
Bidirectional synchronization allows you to synchronize all changes to identity information between your data systems. Using this type of synchronization, you can prevent potential identity information conflicts between different data sources. Note that bidirectional synchronization is unavailable for some of the supported data systems.
Delta processing mode
Delta processing mode allows you to synchronize identities more quickly by processing only the data that has changed in the source and target connected systems since their last synchronization. Both the full mode and the delta mode provide you with the flexibility of choosing the appropriate method for your synchronization tasks. Note that delta processing mode is unavailable for some of the supported data systems.
Synchronization of group membership
Synchronization Service allows you to ensure that group membership information is in sync in all connected data systems. For example, when creating a group object from an Active Directory domain to an AD LDS (ADAM) instance, you can configure rules to synchronize the Member attribute from the Active Directory domain to the AD LDS (ADAM) instance.
Windows PowerShell scripting
Synchronization Service includes a Windows PowerShell based scripting Shell for data synchronization. The Shell is implemented as a Windows PowerShell module, allowing administrators to automate synchronization tasks by using PowerShell scripts.
Attribute synchronization rules
With Synchronization Service, you can create and configure synchronization rules to generate values of target object attributes. These rules support the following types of synchronization:
- Direct synchronization Assigns the value of a source object attribute to the target object attribute you specify.
- Script-based synchronization Allows you to use a Windows PowerShell script to generate the target object attribute value.
- Rule-based synchronization Allows you to create and use rules to generate the target object attribute value you want.
Rule-based generation of distinguished names
Synchronization Service provides flexible rules for generating the Distinguished Name (DN) for objects being created. These rules allow you to ensure that created objects are named in full compliance with the naming conventions existing in your organization.
You can schedule the execution of data synchronization tasks and automatically perform them on a regular basis to satisfy your company’s policy and save your time and effort.
To access external data systems, Synchronization Service employs so-called connectors. A connector enables Synchronization Service to read and synchronize the identity data contained in a particular data system. Out of the box, Synchronization Service includes connectors that allow you to connect to the following data systems:
- Microsoft Active Directory Domain Services
- Microsoft Active Directory Lightweight Directory Services
- Microsoft Exchange Server
- Microsoft Skype for Business Server
- Microsoft Windows Azure Active Directory
- Microsoft Office 365
- Microsoft SQL Server
- Microsoft SharePoint
- Active Roles version 6.9 to 8.1.1.
- One Identity Manager version 6.1 or 6.0
- Data sources accessible through an OLE DB provider
- Delimited text files
How to start
For instructions on how to install, configure and user Synchronization Service, see the Synchronization Service Administration Guide document for Active Roles 8.1.1.
The Exchange Resource Forest Management (ERFM) feature of Active Roles allows you to automate mailbox provisioning for on-premises users in environments where the mailboxes and the user accounts are managed in different Active Directory (AD) forests. Such multi-forest environments are based on the resource forest model, and mailboxes provisioned in such environments are called linked mailboxes.
Multi-forest AD deployments have higher administrative and support costs. However, they offer the highest level of security isolation between AD objects and the Exchange service. As such, One Identity recommends configuring the resource forest model for use with Active Roles in organizations that:
Aim for an extra layer of data security.
Frequently experience organizational changes (for example, buying companies, or consolidating and breaking off branch companies, departments and other business units).
Abide by certain legal or regulatory requirements.
AD deployments following the resource forest model use two types of AD forests:
Account forests: These AD forests store the user objects. Organizations can use one or more account forests in the resource forest model.
Resource forest: This AD forest contains the Exchange server and stores the mailboxes of the user objects.
With ERFM, you can automate the provisioning, synchronization and deprovisioning of linked mailboxes in the resource forest for user accounts in the account forest(s).
During provisioning, Active Roles can automatically create linked mailboxes for new users (if you select to create a mailbox for the user), or create linked mailboxes for existing users without a mailbox.
In both cases, Active Roles creates a disabled shadow user account in the resource forest for the user, then links it to the user account of the user in the account forest (also known as the master account).
NOTE: By default, the shadow user account has the same name as the master user account in the account forest. However, if a shadow account with the same name already exists (for example, because Active Roles has already created a linked mailbox for a user in a different account forest), Active Roles uses a different shadow account name to maintain uniqueness.
Once a linked mailbox is created, Active Roles automatically synchronizes the properties of the master user accounts with their shadow accounts, whenever you modify them.
Finally, if the master user account is deprovisioned, Active Roles automatically deprovisions its shadow account as well, provided that you applied mailbox deprovisioning policies to the container that holds the shadow accounts in the resource forest.
NOTE: Like other AD objects, you can un-deprovision master user accounts as well. However, their shadow accounts are un-deprovisioned automatically only if the container of the deprovisioned master accounts has the ERFM - Mailbox Management built-in policy applied on them.
For more information on the prerequisites and configuration of ERFM and linked mailboxes, see Configuring linked mailboxes with Exchange Resource Forest Management in the Active Roles Administration Guide.